Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 343
  • Last Modified:

Active Directory Lightweight Directory Services (AD-LDS) - What are you using it for, and how?

Hello,

I am working with AD-LDS and am trying to create a single sign-on solution that can be used for web servers / applications / etc....can anyone describe what they are using AD-LDS for and how they're syncing from Active Directory?
0
jkeegan123
Asked:
jkeegan123
  • 3
  • 2
1 Solution
 
Cliff GaliherCommented:
AD-LDS is not the right tool for that job. If you are looking for single sign-on, you want ADFS.
0
 
jkeegan123Author Commented:
Perhaps I was not being clear, I thought that AD-LDS was the right tool here.  What i want to do is combine multiple directories using AD-LDS so that (5) or so Windows domains in different sites that are connected via VPN without trusts can make use of the Single AD-LDS directory that we pull / sync accounts to from each of the 5 domains.  

Am I getting warmer?  :)
0
 
Cliff GaliherCommented:
*IF* you want single sign-on, no. Windows specifically hardens credential storage on DCs so there is no legitimate way to sync credentials to AD-LDS. Also AD-LDS doesn't have Kerberos support built in like AD-DS. You could create a custom property in AD-LDS (after all, that's why it is there) to store passwords (hashed or otherwise) but you'd be writing your own authentication mechanism to write that property and it would *not* be an SSO experience at all. Because it'd be a custom property and a custom authentication method, there is no way to even enforce that the passwords are the same.

AD-LDS *does* support proxying authentication back into AD-DS but it only does so if AD-LDS is a member server and it only does so to a domain controller on the domain in which the AD-LDS server is a member of. Which would not work with your 5-domain scenario with no trusts, as it would not be able to proxy requests to four of the domains and the DC's not having trusts, would not be able to handle the proxied request.

In short, if you have permissions to sync AD objects, I'm not sure why you wouldn't implement trusts. That'd be a far more efficient process. And for most SSO web scenarios, you'll need ADFS any which way. So I still don't see AD-LDS being the right tool here.
0
 
jkeegan123Author Commented:
Thank you, that was a very succinct explanation for why this will not work.

I REALLY think that the tech community at large SEVERELY misunderstands what AD-LDS can and cannot do...What I learned through this long journey is:  

- Exactly how to work and setup AD-LDS --> It's very useful and cool
- Exactly the nuances to setup Schema differences between domains / partitions.  This was useful in and of itself.
- The tech community enjoys very much posting 75% of their experience and missing the last 25%.  This is probably because most people have no idea exactly what this is capable of.

Thank you VERY much for your help.

I still need to sync passwords between domains, this is more of a service-provider relationship than a true multi-domain scenario where domains can be trusted...do you have any tips on using another tool to do this, perhaps Forefront Identity Management (FIM)?  I see that RACKSPACE, Intermedia, etc...do similar syncs that I'm talking about, where we have to target a specific OU for source accounts (can't take the entire directory, bad idea...) and PCNS (Password Change Notification Service) runs on every DC to notify the provider of the password change.

Do you know of any way to implement something like this?  I'm willing to go down the FIM road, but I need to know if this is the right tool before going on this journey.

Thanks!
0
 
Cliff GaliherCommented:
FIM can do this and is actually what Microsoft's own implementation of dirsync was built on.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now